Roundcube alongside Nextcloud

by Carsten Rieger ·
Published 27. November 2017
· Updated 22. May 2018

We will run Roundcube 1.3.6 in a subfolder alongside and within Nextcloud on your NGINX, enhance security using TOTP (2FA) + fail2ban and finally add functionality using a carddav plugin for Nextcloud contacts. To run Roundcube (https://your.dedyn.io/emails) alongside and within Nextcloud (as an “external site”) your NGINX configuration has to be modified and enhanced. But first backup your old *.conf files inside the nginx-directories. Please substitute all the red values below properly to your environment.

Save and quit the file (:wq!) and logon to your roundcube instance. Then activate twofactor_gauthenticator in the settings-panel:

If you paste your Nextcloud secret and apply these settings you may logon to Roundcube using the same 2FA as for Nextcloud. Logout and re-login to roundcube again. From now your account is even more secure using a second factor for authentication.

Logout from roundcube and go ahead witht the implementation of fail2ban to prevent bruteforce attacks. Change to the plugin-directory again:

Logon to your roundcube instance. Then verify fail2ban is working as expected.

fail2ban-client status nextcloud && fail2ban-client status roundcube

Re-logon to Nextcloud and roundcube using wrong credentials once. Then open the fail2ban-status again:

fail2ban-client status nextcloud && fail2ban-client status roundcube

If you’ll find e.g. “currently failed: 1” twice your Nextcloud and roundcube was successfully hardened with TOTP and fail2ban. At least we will add Nextcloud contacts to our roundcube instance using the carddav plugin. First logout from roundcube and change to the plugin directory again:

Steps to reproduce:
1. Open Chromium/Chrome (we tested with 63+)
2. Log in to Roundcube
3. In a new tab log in to Nextcloud
4. Log out from Nextcloud

Expected behavior:
1. Nextcloud will be logged out
2. Roundcube will still be logged in and usable

What happens:
1. Nextcloud will be logged out
2. Roundcube session will be expired (!) and user logged out <- this is the issue

More info:
1. It happens with Chrome/Chromium only, Firefox behaves as expected.
2. I investigate a little bit what happens, and I found that *logging out from Nextcloud deletes all cookies from sibling subdomains*.

I'm unable to determine why cookies from sibling subdomains are deleted and if this is a Chrome/Chromium bug or Nextcloud issue. Did you ever encountered this issue? I saw Nextcloud uses "Clear-Site-Data header" at logout. Could this be related to this issue? Thank you very much!